Description
Missing Authorization vulnerability in FRESHFACE Custom CSS custom-css-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom CSS: from n/a through <= 1.4.0.
Published: 2025-10-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the FRESHFACE Custom CSS plugin is a Missing Authorization flaw that allows exploitation of incorrectly configured access control levels. An attacker can use the plugin’s CSS editing functionality without proper authentication or authorization checks. This can lead to unauthorized modifications of the site’s appearance by changing CSS styles, thereby compromising the site’s integrity and trustworthiness.

Affected Systems

The affected product is the FRESHFACE Custom CSS plugin for WordPress. All installations of version 1.4.0 or earlier are vulnerable. No other vendors or products are implicated.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of < 1% reflects a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web-based attack where an authenticated WordPress user, possibly with minimal privileges, can access the plugin’s features and perform unauthorized modifications. Based on the description, this results in unauthorized changes to the site's CSS, potentially impacting the site’s appearance and user trust.

Generated by OpenCVE AI on April 30, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Custom CSS plugin to a version later than 1.4.0 to apply the authorization fix issued by the vendor.
  • If a newer version is unavailable or updating immediately is not possible, deactivate or remove the Custom CSS plugin from the WordPress installation until a patch can be applied.
  • Restrict the availability of the plugin’s editing functionality by enforcing stricter role permissions or by using an additional access control plugin, ensuring that only administrators or explicitly authorized users can access the CSS editor before the official patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in FRESHFACE Custom CSS custom-css-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom CSS: from n/a through <= 1.4.0.
Title WordPress Custom CSS plugin <= 1.4.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:51.232Z

Reserved: 2025-05-15T17:54:23.205Z

Link: CVE-2025-48096

cve-icon Vulnrichment

Updated: 2025-10-22T19:58:24.358Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:34.333

Modified: 2026-04-27T20:16:07.507

Link: CVE-2025-48096

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:00:14Z

Weaknesses